social issues in computing : forensics
TRANSCRIPT
Forensics: New dimension for Governance Presented By
Name : Karuna Kak and Anirudh Munj
PRN :12030121030 and 12030121031
Course : BCA
Batch :2012-15
Division : A
Course :Social Issues In Computing
INTRODUCTION TO FORENSICS Forensics in ICT terms generally includes
two distinct fields:
• using ICT to enhance information
gained about a crime (for example,
software that can process database
searches faster than humans can), and
• gathering information about a crime
from a computer that contains data
related to the crime.
DEFINITION OF FORENSICS
• Forensics is the use of science
and technology to investigate
and establish facts in criminal
and civil courts of law.
• The goal of any forensic
investigation will be to
prosecute the criminal or
offender successfully,
determine the root cause of an
event and determine who was
responsible.
TECHNIQUES USED IN FORENSICS
• Stringing
• Total station
• Photo composites
• Computerized matching
• Ballistics
• Fingerprints
• DNA
• Handwriting/graphology
STRINGING
• One traditional procedure at a crime scene is
to document the locale.
• On a road, the distances, speeds, directions
are part of the data set that defines the events.
Prior to the availability of high-tech IT
equipment, this process involved “stringing”: a
police technician would use string to measure
distances and angles.
• Today, laser controlled digital cameras and
computer generated algorithms have replaced
the somewhat imprecise techniques of earlier
years.
TOTAL STATION
• A device called the “Total Station” began to
replace that imprecise technology of using
strings, paper and pencils and analog
photographs during the middle of the 20th
century.
• It was a device used by engineers that was
easily adapted to forensic use because of
the (then) precise nature of the data it
provided, as opposed to the use of string,
for example.
PHOTO COMPOSITES • One of the classic results of a police investigation
into a crime is the “Wanted” poster.
• In pre-digital times, highly skilled artists were part
of the staff of a police force: people who could
interpret witness descriptions and turn them into
visual elements.
• Today, using a combination of digitally captured
images and special software, police are able not
only to create likenesses that are indistinguishable
from actual photographs, but they are also able to
put special algorithms to work that can
authentically “age” a victim/suspect within
reasonably accurate limits.
WANTED
COMPUTERIZED MATCHING • There are a number of traces that might be left at a
crime scene that can be used to identify the
criminal.
• When there is so much data to sort, catalogue and
search through, a computer or a computerized
database makes the work both faster and less
prone to error.
• Special software and hardware adapted to specific
uses also increases the likelihood of positive
identification, whether it means reconstructing a
scene from limited or missing information or
whether it means searching a large database to
find matching patterns.
BALLISTICS • Prior to the arrival of computer technology, police
experts would examine the markings on bullets
found at a crime scene under a microscope.
• They still do; however, the process has been
considerably enhanced with the assistance of
computers: much of the visual comparison can
now be automated.
• Similarly, rather than having a desk clerk search
through long files in search of serial numbers – on
weapons recovered or ammunition – centralized
databases and logged electronic records allow
police to make better use of their time.
FINGERPRINTS • The use of fingerprints to identify individuals was
known back as far as ancient times, Greek and
Babylonian records show the use of fingerprints as a
signature.
• However, it was only about the 1850s when police
investigations began to make extensive use of
fingerprints as “proof positive”.
• Although no two people have the same fingerprints,
police are often limited by the amount of data they can
search through.
• Today, police detectives can work online, with access
to a national digital archive of known fingerprints.
DNA • Similar to the case of fingerprints, but even more recent a
development is the use of DNA as positive identification in
a crime.
• DNA identification can work with any body parts to create
a very clear profile of the person the sample comes from.
• Again, the chance of identification is made better when
you have a larger database to work from.
• Police is allowed to build a better DNA database by giving
the police the legal right to collect and save a digital DNA
file for anyone who is taken to the police station.
• The fact that the police are allowed to take a DNA “swab”
even of people who are not charged with a crime has
become a major issue of privacy rights.
HANDWRITING/GRAPHOLOGY
• Handwriting analysis involves
forensic examination of such
factors as (pen) pressure, slant or
angle of letters, deviation above and
below imaginary “standard” lines
and other factors such as the size of
loops in the letters.
• While much of this is based on
visual observation, software that
can scan and then automatically,
digitally compare these features is
making this science more reliable
as a tool for detection.
STUXNET
• Largest and costliest development effort in malware history
• A team of highly capable programmers
• In-depth knowledge of industrial processes
• The complexity of the code indicates that only a nation-state
would have the capabilities to produce it
• The self-destruct and other safeguards within the code imply
that a Western government was responsible, with lawyers
evaluating the worm's ramifications
DIGITAL FORENSIC (DF) • DF involves the
preservation
identification
extraction
documentation
of digital evidence stored as data or
magnetically encoded information.
• This includes the
recovery
analysis
presentation
of digital evidence in a way that is admissible
and appropriate in a court of law.
DIGITAL FORENSICS AS A MULTI-DIMENSIONAL DISCIPLINE
• We consider the dimensions of Information Security as a baseline
when defining dimensions for DF.
• The following dimensions were identified for digital forensics:
Corporate Governance
Policy
Legal and Ethical
People
Technology
• The dimensions are inter-related and can not exist in isolation.
CORPORATE GOVERNANCE DIMENSION • The Corporate Governance dimension will handle the management
aspects of DF in an organization.
• Management is responsible for the security posture of an
organization.
• Management can only manage security incidents if for example the
root cause of the event is determined and appropriate action to
rectify it can be taken – this may involve forensic investigations.
• The Corporate Governance dimension includes strategic governance
and operational governance.
• Typically strategic governance will be from a strategic perspective,
while operational governance will provide management directives on
an operational level.
POLICY DIMENSION
• A general forensic investigation policy is required to provide a
framework for DF policies in the organisation.
• Examples of other policies are how to handle evidence, how to
seize evidence and how to conduct covert or overt investigations.
Policies are normally supported by procedures and guidelines.
• Procedures also need to be set up so that the investigations will be
able to stand up to legal scrutiny in court.
• These procedures must also be scientifically sound and proven to
maintain the integrity of the evidence and process.
POLICY DIMENSION Six categories of policies to facilitate Digital Forensic Investigations (DFI):
Retaining Information
Planning the Response
Training
Accelerating the Investigation
Preventing Anonymous Activities
Protecting the Evidence
LEGAL AND ETHICAL DIMENSION
• The Legal and Ethical dimension of DF is very important in
organizations.
• In Cyberspace there is no universal or common ‘Cyber law’.
Various judiciary systems exist in different countries.
• The forensic investigator must be familiar with local legal and
international laws, treaty requirements and industry specific
legal requirements when preparing to present a case that will
be able to stand up to legal scrutiny in court.
• Ethical aspects of DF is becoming more and more important.
PEOPLE DIMENSION • People are the most important part of any organisation and normally
the weakest link in the security chain of the organization.
• When an incident occurs it is most likely that people will contaminate
the evidence while figuring out what has happened. Training is
therefore essential. Therefore, there is a huge need for forensic
awareness training.
• This dimension will look at training and awareness programs in an
organization.
• The profile and composition of a DF team is also very important.
• One person normally does not have all the required skills to conduct
an investigation. Therefore the team should consist of a team leader,
network specialist, code specialist, business process specialist and
a quality manager.
TECHNOLOGY DIMENSION
• No DF investigation can be conducted without a DF toolkit.
• Various specialised software and / or physical hardware tools will
make up the DF toolkit as different tools are used for different
purposes.
• The way the tools are utilised as well as the acceptance of a
specific tool by the legal authorities are vital for any forensic
investigation.
• The forensic and legal community has accepted certain industry
standard tools e.g. EnCase (Meyers M, Rogers M, 2004).
REFERENCES
• Digital Forensics: A Multi-dimensional Discipline,
CP Grobler, Prof B Louwrens, University of Johannesburg,
Department of Business IT
• Developing digital forensic governance, Marthie Grobler,
Council for Scientific and Industrial Research (CSIR)
• Social Issues in Computing, Exploring the Ways Computers
Affect Our Lives, Colin Edmonds, June 2009
